ramnit | ad3f4fa7a3100446a4140c75b09a8c618416d85b737650126355123d619b3dc7

Analysis

max time kernel
120s
max time network
99s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad3f4fa7a3100446a4140c75b09a8c618416d85b737650126355123d619b3dc7N.dll
Size

2.0MB
MD5

a363d81a1c6229bbf18ddfaf3d004420
SHA1

3d91cdd8e44ab89a192c280ec220abca82752db6
SHA256

ad3f4fa7a3100446a4140c75b09a8c618416d85b737650126355123d619b3dc7
SHA512

6bd87526984c2558bd07bf05a2edee3979d40d24d5b9e7de3ce09ee8cfe5aae65c81a87f3c8d79d43bf7df841e38d117ea99ee8a4787e26d9fa824da19720dd5
SSDEEP

24576:r7IY7a9IRCRqRPkHQo411810cNScGKJydXTZDwmzRMo3DP7x5nbiQj8CTefFfUPI:fIY5RMHMf810Knor5zqo3zNJuQjb4FyQ

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
2580	rundll32mgr.exe
1640	rundll32mgrmgr.exe
2948	WaterMark.exe
2136	WaterMarkmgr.exe
2348	WaterMark.exe
2752	WaterMark.exe
2108	WaterMarkmgr.exe

Loads dropped DLL 14 IoCs

pid	Process
1236	rundll32.exe
1236	rundll32.exe
2580	rundll32mgr.exe
2580	rundll32mgr.exe
2580	rundll32mgr.exe
2580	rundll32mgr.exe
2948	WaterMark.exe
2948	WaterMark.exe
1640	rundll32mgrmgr.exe
2136	WaterMarkmgr.exe
2136	WaterMarkmgr.exe
1640	rundll32mgrmgr.exe
2752	WaterMark.exe
2752	WaterMark.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2580-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-72-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2136-80-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1640-42-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1640-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2580-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2580-37-0x0000000000120000-0x0000000000150000-memory.dmp	upx
behavioral1/memory/2580-36-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1640-67-0x0000000000700000-0x0000000000756000-memory.dmp	upx
behavioral1/memory/2580-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2580-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2580-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2348-135-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-117-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2580-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2580-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-749-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wordpad.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_avi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\OmdProject.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\PipeTran.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\npt.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxwebkit.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\msoe.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Tools.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\pdmproxy100.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	1236	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2948	WaterMark.exe
2948	WaterMark.exe
2948	WaterMark.exe
2948	WaterMark.exe
2948	WaterMark.exe
2948	WaterMark.exe
2948	WaterMark.exe
2948	WaterMark.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	WaterMark.exe
Token: SeDebugPrivilege	1952	svchost.exe
Token: SeDebugPrivilege	1236	rundll32.exe
Token: SeDebugPrivilege	2576	WerFault.exe
Token: SeDebugPrivilege	2948	WaterMark.exe

Suspicious use of UnmapMainImage 7 IoCs

pid	Process
2580	rundll32mgr.exe
1640	rundll32mgrmgr.exe
2948	WaterMark.exe
2136	WaterMarkmgr.exe
2752	WaterMark.exe
2348	WaterMark.exe
2108	WaterMarkmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1236	1968	rundll32.exe	30
PID 1968 wrote to memory of 1236	1968	rundll32.exe	30
PID 1968 wrote to memory of 1236	1968	rundll32.exe	30
PID 1968 wrote to memory of 1236	1968	rundll32.exe	30
PID 1968 wrote to memory of 1236	1968	rundll32.exe	30
PID 1968 wrote to memory of 1236	1968	rundll32.exe	30
PID 1968 wrote to memory of 1236	1968	rundll32.exe	30
PID 1236 wrote to memory of 2580	1236	rundll32.exe	31
PID 1236 wrote to memory of 2580	1236	rundll32.exe	31
PID 1236 wrote to memory of 2580	1236	rundll32.exe	31
PID 1236 wrote to memory of 2580	1236	rundll32.exe	31
PID 2580 wrote to memory of 1640	2580	rundll32mgr.exe	32
PID 2580 wrote to memory of 1640	2580	rundll32mgr.exe	32
PID 2580 wrote to memory of 1640	2580	rundll32mgr.exe	32
PID 2580 wrote to memory of 1640	2580	rundll32mgr.exe	32
PID 1236 wrote to memory of 2576	1236	rundll32.exe	33
PID 1236 wrote to memory of 2576	1236	rundll32.exe	33
PID 1236 wrote to memory of 2576	1236	rundll32.exe	33
PID 1236 wrote to memory of 2576	1236	rundll32.exe	33
PID 2580 wrote to memory of 2948	2580	rundll32mgr.exe	34
PID 2580 wrote to memory of 2948	2580	rundll32mgr.exe	34
PID 2580 wrote to memory of 2948	2580	rundll32mgr.exe	34
PID 2580 wrote to memory of 2948	2580	rundll32mgr.exe	34
PID 2948 wrote to memory of 2136	2948	WaterMark.exe	35
PID 2948 wrote to memory of 2136	2948	WaterMark.exe	35
PID 2948 wrote to memory of 2136	2948	WaterMark.exe	35
PID 2948 wrote to memory of 2136	2948	WaterMark.exe	35
PID 2136 wrote to memory of 2348	2136	WaterMarkmgr.exe	37
PID 2136 wrote to memory of 2348	2136	WaterMarkmgr.exe	37
PID 2136 wrote to memory of 2348	2136	WaterMarkmgr.exe	37
PID 2136 wrote to memory of 2348	2136	WaterMarkmgr.exe	37
PID 1640 wrote to memory of 2752	1640	rundll32mgrmgr.exe	36
PID 1640 wrote to memory of 2752	1640	rundll32mgrmgr.exe	36
PID 1640 wrote to memory of 2752	1640	rundll32mgrmgr.exe	36
PID 1640 wrote to memory of 2752	1640	rundll32mgrmgr.exe	36
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2948 wrote to memory of 2708	2948	WaterMark.exe	38
PID 2752 wrote to memory of 2108	2752	WaterMark.exe	39
PID 2752 wrote to memory of 2108	2752	WaterMark.exe	39
PID 2752 wrote to memory of 2108	2752	WaterMark.exe	39
PID 2752 wrote to memory of 2108	2752	WaterMark.exe	39
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 2948 wrote to memory of 1952	2948	WaterMark.exe	40
PID 1952 wrote to memory of 256	1952	svchost.exe	1
PID 1952 wrote to memory of 256	1952	svchost.exe	1
PID 1952 wrote to memory of 256	1952	svchost.exe	1
PID 1952 wrote to memory of 256	1952	svchost.exe	1
PID 1952 wrote to memory of 256	1952	svchost.exe	1

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1376
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1580
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:860
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:996
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:300
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:656
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1080
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1100
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1192
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2008
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:844
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:476
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad3f4fa7a3100446a4140c75b09a8c618416d85b737650126355123d619b3dc7N.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad3f4fa7a3100446a4140c75b09a8c618416d85b737650126355123d619b3dc7N.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        
        PID:2108
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        
        PID:2348
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2708
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 232
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
609KB

MD5
3ea0acb71aa446d3d663eec45d4712f5

SHA1
0d7ba8ce7142aea5c91db79844727d570d22cdb0

SHA256
2d94ff02d7d07526ecf15d06187581a5564d2c0109516ac56bdeab9626da3794

SHA512
45843acaf918fa8e3a6965f0e56858025002fd4ef9d35fd15d2affa73373fb7bf1d9c0580741c17d4fed7d6078932ac3bc9327bde43eac730df94bf2d0fba1e5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
605KB

MD5
5e80375bd5090233b06db6355e686c77

SHA1
c2752f3f57249e1f792160405057c58c4f9dc49d

SHA256
c7a9b7189a804345dcffa8e4836e0527d9464b197b1399d69864e32416a80c32

SHA512
92f13f0e1fc554b106946c66adffb7ec94bf3df9b9563fb3cb772f9ccecfb57c4f344e09422e1ab1ca0f1b45cd89d67fead6e9c634fdc5364e5a25f47e8b62c4

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
147KB

MD5
53f47d43cf57a2a3eecd95d837c3de80

SHA1
d25e1fd3ba16ecf411e3e8d549e1f9746faa3c82

SHA256
6ec9b8f4b366f1f5524bd8f6fca2c6131695bc597f30c8f124bbc76522cdce11

SHA512
e45015667bb65083feeb1d9146d6a4d09702b4f093ae42b4c35077a1e9ddea60afe9fd24946637d627e12ce81b2994bfe3c48d56d6b5117b5011258836de1e05

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
297KB

MD5
63830b4ce4da1fa807c0c0ecd128a853

SHA1
5cdc32594fc52d9d2ce1dd28823d14c9c25b7ce0

SHA256
e510e44bd990e1936484e9e80602744135f5043591a3785a8f92a8590fc50803

SHA512
14cfd70a1714cc8a5852b994c257418d1942d7badb0b6b022f163b8ff50c4bf5528ea70ec8df75b70a7200179cfbb2a49a3921b5727af31e7c82c169e4745fbb

Download Submit
memory/1236-30-0x0000000000280000-0x00000000002D6000-memory.dmp

Filesize
344KB

Download
memory/1236-32-0x0000000000280000-0x00000000002D6000-memory.dmp

Filesize
344KB

Download
memory/1236-8-0x0000000010000000-0x0000000010395000-memory.dmp

Filesize
3.6MB

Download
memory/1236-20-0x0000000010000000-0x0000000010395000-memory.dmp

Filesize
3.6MB

Download
memory/1640-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1640-42-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-67-0x0000000000700000-0x0000000000756000-memory.dmp

Filesize
344KB

Download
memory/2108-138-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2136-69-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2348-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2348-89-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2580-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2580-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2580-37-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/2580-38-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2580-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2580-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2580-41-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/2580-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2580-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2580-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2580-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2708-92-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2708-136-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2708-118-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2708-131-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2708-130-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2708-129-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2708-123-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2708-94-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2752-128-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/2752-127-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/2948-101-0x00000000773AF000-0x00000000773B0000-memory.dmp

Filesize
4KB

Download
memory/2948-64-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/2948-90-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2948-117-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-63-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/2948-496-0x00000000773AF000-0x00000000773B0000-memory.dmp

Filesize
4KB

Download
memory/2948-749-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-52-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2948-72-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download